[gnutls-dev] RFC: PKCS#11 plans

Simon Josefsson simon at josefsson.org
Mon Apr 23 18:46:17 CEST 2007

ludovic.courtes at laas.fr (Ludovic Courtès) writes:

> Hi,
> Simon Josefsson <simon at josefsson.org> writes:
>> That seem to use the scdaemon protocol, but that protocol isn't
>> sufficient for what GnuTLS needs -- for example, I can't read
>> certificates from the smartcard via that protocol for OpenPGP cards.
>> GnuTLS needs the certificates.
> In this context, shouldn't we question the assumption that GnuTLS
> absolutely needs access to private keys?  It seems that many smartcards
> don't offer this option for security reasons: instead they only allow,
> for instance, encryption/decryption of arbitrary data, as well as
> extraction of the public key (certificate).

Yes!  There are plans for GNOME Seahorse to provide a PKCS#11
interface for the private keys/certificates stored in the gnome
keyring.  This was what prompted my work on PKCS#11 support in GnuTLS.

One could also write a really simple PKCS#11 plugin that uses on-disk
private key/certificates.  This could be written using the GnuTLS
X.509 APIs.

In any case, the primary goal of my PKCS#11 work is to avoid the need
for GnuTLS to have access to private keys.  It just needs to read
certificates from somewhere, and have an interface to signing
operations.  Whether that is PKCS#11 or some IPC protocol to some
external gnutls-daemon-like process is an open question.

> See the thread at:
>   http://article.gmane.org/gmane.comp.gnu.gnupg.users/10411
>   http://article.gmane.org/gmane.comp.gnu.gnupg.users/10429
> (In addition, the opinion of Werner Koch in the second message is that
> GnuTLS could directly talk to `gnupg-agent' instead of having its own
> infrastructure.  Wouldn't that make sense?)

Yeah, but it turned out that gpg-agent cannot support this, since it
is not possible to get user certificates from it.  GnuTLS would have
to talk to 'gpgsm --server' as well.  I don't think the GnuTLS library
should fork+exec external programs so this approach doesn't work.
Thus, implementing PKCS#11 and using the Scute PKCS#11 provider (which
do talk to gpg-agent, scdaemon, and gpgsm) seems simpler, and even
more flexible.


More information about the Gnutls-devel mailing list